cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
232
Views
0
Helpful
2
Replies

Assign Different IP Pools Based on Managed or Unmanaged Device

adamsb1983
Level 1
Level 1

Hello,

I am trying to assign separate IP address pools to AnyConnect users based on whether the device they are connecting from has been domain-joined or not (managed device vs unmanaged device).  Each domain-joined device does have a machine cert that I can check for.  I really don't want to have to use aliases and allow users to select a tunnel group to connect through,and may have situations where a user will connect via managed sometimes, unmanaged other times.  DAP works great for identifying the certificate or authenticating via the connection profile/tunnel group, however I don't believe I can assign the IP pool based on the DAP. 

Is there a way to auth via the connection profile/tunnel group with certificate and credentials, and fail back (to another connection profile or group policy) if unable to provide the certificate?  If not, any recommendations?  Is this something that could be taken care of with ACS?  Thanks for your help!

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

If I understand the question, I believe you may be able to use certificate matching rules.

Basically you create a list if certificate has field value A then use connection profile A (with IP address pool A), else use profile B (with pool B) etc.

See this guide section for some more details.

Thanks for the response Marvin.  I had seen the certificate matching rules but wasn't sure if I could fall back to "profile B" by not being able to present a cert at auth for unmanaged devices.  I will build this up in test and post my results.  Thanks again for the help.  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: